testing / interview /permissions.py
Danielsz's picture
deploy
16e8be2
Raw
History Blame Contribute Delete
695 Bytes
"""
interview/permissions.py — Custom DRF permissions for the admin dashboard.
"""
from rest_framework.permissions import BasePermission
class IsAdminRole(BasePermission):
"""
Allows access only to authenticated users with role='admin' or superusers.
Used on all Dashboard-only endpoints to prevent regular students from
accessing admin data even if they have a valid JWT.
"""
message = 'Acceso denegado. Se requiere rol de administrador.'
def has_permission(self, request, view):
if not request.user or not request.user.is_authenticated:
return False
return request.user.is_superuser or getattr(request.user, 'role', '') == 'admin'